"Key table entry not found while getting initial credentials" + KRB5KDC_ERR_PREAUTH_REQUIRED

[Ken Raeburn]

Another workaround would be to put keys of all supported types into  
the keytab, not just one.  It's not a 100% solution, because if you  
upgrade the implementation and it adds new encryption types that the  
KDC also knows about, that won't automagically update the keytab  
file.  Or, save away the password itself and use it when getting new  
credentials; also not a great idea, depending on the use case and  
threat model.

For a server principal, it's expected that the KDC knows the set of  
encryption types available.  But for password-based user keys saved  
away, yes, perhaps we should be using the actual enctypes stored....

Ken